Half of UK Businesses Unaware of New EU Data Laws

London UK, 24 April, 2014: Only half of UK businesses are aware of the upcoming EU Data Protection Regulation, compared with 87 per cent awareness in Germany, found research from Trend Micro Incorporated (TYO: 4704; TSE: 4704).

The survey of 850 senior IT decision makers across Europe revealed a lack of basic knowledge about the EU Data Protection Regulation, while British businesses appear to know even less than their continental counterparts. Of the 250 British respondents in the survey, 50 per cent were completely unaware of the impending legislation and just 10 per cent said they fully understood what steps their organisation needs to take to achieve compliance.

Regulation not realistic
More than eight in ten British respondents (85%) believe their organisation faces significant challenges in order to comply with the data protection regulation, with a quarter (25%) saying they don’t even think it’s realistic to adhere to. Lack of employee awareness (44%) and restricted resources (31%) were highlighted as the biggest barriers.

The EU Data Protection Regulation is a set of legislation that aims to comprehensively reform data protection, strengthen online privacy rights and boost Europe’s digital economy. If the regulations are broken, fines could be as high as €100million or 5 per cent of global revenue.

While 95 per cent of German respondents were aware there would be fines, nearly a quarter (25%) of British businesses had no idea there would be. And nearly half (44%) of UK businesses said 2-4 years was a more realistic timeframe for them to comply.

“With ratification expected in 2014, it’s alarming to see how little is known about such key privacy regulations, “said Rik Ferguson, Vice President Security Research at Trend Micro. “This effects every organisation, regardless of size. If a company processes data then it needs to be aware.
“As companies look to gain maximum value from a new generation of big data projects, data privacy should be a board level discussion. This is not just an IT issue, duty to comply falls to everyone from the receptionist right up to the CEO.”

Vinod Bange, partner and data protection specialist at international law firm Taylor Wessing comments: “The strength of this proposed EU Regulation with scope for significant punitive damages for non-compliance will tip the scales and organisations will not be able to look the other way. Whilst we do not yet know exactly when it will come into force, there is an expectation it may be the end of 2014 so businesses need to act now to ensure they are moving towards a data strategy that fits to the new EU Regulation. It shouldn’t be seen as a simple technology fix. After all, these laws will not be optional, and will influence, in large part, the standard practices for data rich businesses.

“There’s also a business opportunity here, particularly for SMEs, to differentiate their offering now by becoming compliant in advance, at least against the objectives and spirit of the proposed EU Regulation and perhaps advertising themselves as reaching the new benchmark. This will help reassure potential clients that they can be trusted as a partner throughout the upcoming regulatory turmoil.”

Where does responsibility lie?
Even among the UK businesses that are aware of the regulations, there is still a lot of confusion about who it will apply to and whose problem it will be to deal with. For example, 24 per cent of senior IT decision makers either didn’t think the regulation would apply to their organisation or didn’t know.

Nearly four in five (78%) British respondents believe that some responsibility for ensuring compliance with the proposed EU General Data Protection Regulation lies with the organisation as a whole. Over a quarter (28%) place responsibility for this with a data protection officer and around a tenth with the government (10%) or a business insurance provider (10%).

Around two thirds (62%) of respondents believe the proposed EU General Data Protection Regulation would apply to EU registered companies and over a third (34%) think it would apply to companies in business with EU companies. Nearly half the sample (48%) did correctly single out that it would apply to any company that deals with EU resident data, even if that company does not have a legal entity within any of the EU countries.

Next steps
More than eight in ten (84%) UK respondents report that their organisation will need to take steps in order to become compliant. To achieve this, the majority plan to increase employee training on data protection (57%), half (51%) plan to increase investment in IT security (51%) and 27 per cent will be improving their business insurance policy in the event of a data breach.

“These findings need to serve as a wake-up call, both to businesses and governments that these changes are coming and we all need to prepare,” said Ferguson. “If they don’t take action there’s the very real chance that they might wake up with a nasty fine on their hands that could potentially have a major impact on their business.

“I would recommend that every business starts the process of compliance with a health check or assessment of where the organisation is right now. What data is stored, how it is processed and what policies currently govern it. This will put organisations in a position to know where the holes are in their data policy and what needs addressing,” added Ferguson.

About the research
The research was carried out in April 2014 by Vanson Bourne and surveyed 850 senior IT decision makers across Europe. Specifically, there were 250 respondents in the UK and 100 respondents from each of the following regions: France, Germany, Benelux, Nordics, Poland and Italy.